"Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole Internet—including internally in enterprises—obliterate user IDs and passwords and PINs from the face of the planet."

That's what Michael Barrett, chief information security officer at PayPal, told the network industry today at the Interop conference in Las Vegas. Barrett's second job is as president of the FIDO Alliance, a recently unveiled consortium trying to create an open standard that could replace passwords. Google, Lenovo, and other companies have representatives on FIDO's board of directors.

FIDO, which stands for Fast Identity Online, would work by requiring users to authenticate to their smartphone or other personal device, which then authenticates to a website (such as PayPal) using FIDO's protocols.

"There is a FIDO client or a FIDO stack that has to be on the device concerned," Barrett said. "That piece of software, think of it as a shim, knows how to talk the FIDO protocol back to the relying parties' server. Say you show up to PayPal.com once PayPal becomes FIDO-enabled, which we're in the process of doing. Once you come to our site, we will ping the device."

The device will then enumerate to the user the ways in which it can support authentication, from fingerprint sensing to eye scans.

"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett said. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."

Barrett said FIDO-enabled devices will become available this year. That advance will be enabled in part by smartphones supporting fingerprint readers, Barrett said, noting that Apple bought a fingerprint sensor technology company last year and is assumed to be building it into the iPhone. "That tells you there is going to be a fingerprint-enabled phone in the market later this year, not just one, but multiple, because the Android ecosystem is adapting," he said.

Phones could also authenticate a user with voice biometrics, eye scans, or facial recognition, he said. On PCs, there would be a browser plugin which could recognize the authentication methods that the system is capable of. A USB stick loaded with FIDO software could also work, allowing users to authenticate to computers they don't own. Google is reportedly working on similar ways to eliminate the password.

The FIDO website further explains:

A FIDO user will have a FIDO Authenticator or token that they chose or was given to them. This could be any authenticator type that supports FIDO such as a built-in finger scan or a USB memory drive with a password. Users may pick the authenticator type that best suits their needs.

FIDO Authenticators will come in two basic variations.

Identification tokens will be unique identifiers that can be connected to the user’s Internet accounts. Once they are connected to the account, they will be transparently presented each time the account is accessed as an identifier without the user needing to anything else. This will provide single factor authentication.

Authentication tokens can ask the user to perform an explicit action to prove it is really the token owner. These actions could include entering a password, PIN or finger swipe. These authenticators will provide two factor authentication with the token being “something you have” and the password being “something you know” or the biometric being “something you are.”

Tokens sent from user devices to websites will hit a validation cache that "check[s] the encrypted information and one-time passwords from the tokens to ensure that a token is not being spoofed."

There will also be FIDO repositories acting as clearinghouses for token information. "A FIDO repository will coordinate with token vendors to ensure that current token information is available," the organization says. "The repository will make it easier for websites to enable FIDO because they won’t need coordination with every token vendor. By connecting to a repository this coordination and current token information will be handled already."

Do you really want your refrigerator to know your PayPal password?

The reasons for creating an alternative to passwords are fairly clear: users have to remember dozens of passwords and often choose them poorly. "Left to their devices users will pick horrible passwords and then they'll reuse them all over the place," Barrett said.

Various data breaches have exposed millions of user IDs and passwords. While passwords are typically exposed in an obscured or "hashed" form, increasingly powerful processors and password cracking programs allow even novice hackers to convert them into plain text.

The key is to make security better without making it difficult for users. Barrett showed a picture of an unwieldy-looking key ring holding a bunch of two-factor authentication devices, saying it's the actual key ring used by a PayPal security official.

"This is what we will get if we don't do something better than [passwords]," Barrett said. "And the average user will be looking for a rope and a tree, either to hang themselves or hang us, I'm not sure which."

The so-called "Internet of things" adds another wrinkle. Barrett talked about development of refrigerators that can sense what food is inside them and automatically order replacement groceries. Perhaps such technology will be commonplace in a few years—and your refrigerator will need a way to pay for food.

"It begs the question, do you really want your refrigerator to know your PayPal password?" Barrett said. "Unless we can solve that problem, life is not going to be good."

The FIDO Alliance has worked on its technology for nearly two years behind the scenes, and it started talking publicly a couple of months ago. Barrett said most advanced security mechanisms that go beyond passwords are proprietary and thus not interoperable. The FIDO Alliance aims to build a system that can be used by anyone.

The idea is certainly an exciting one. Passwords are so entrenched in daily Internet use that killing the password for good, as Barrett wants to, would be a monumental achievement. It may sound nearly impossible, but Barrett quoted Henry Ford as saying "Whether you believe you can, or whether you believe you can't—you're right."

I'm curious to hear from some of our more learned-in-security people on how secure the FIDO architecture actually is. Assuming the biometrics are solid and not easily bypassed or faked, would the architecture stand up to concerted intrusion efforts?

I not only don't want my refrigerator to know my PayPal password, I also don't want PayPal to know what I eat.

This concept makes sense, except for the fact that it only works if it's universally adopted. I can't picture every major financial institution and retailer being on board, and it doesn't help if a bad guy's inability to rob my Chase account just sends him to my BofA account instead.

We've had mixed success with biometrics. On several very high end, expensive laptops, we've found that the fingerprint reader works about 75% of the time. That's OK if you can just switch to the typed password, but I wouldn't want to explain to a waiter why I couldn't pay my bill, because all of a sudden my phone or his terminal won't accept my fingerprint.

First, regarding the "unwieldy keyring" - why do we need a separate security token for each login? Could the industry standardize the tokens, and let you configure the tokens with multiple different "seeds", so that if I want to login to site A, I ask the token to give me the current pseudo-random number for for that site, and if I want to login to Site B, I ask it for that site? Each site can maintain a completely seperate sequence by having a different seed.

Second, regarding scanning my eyeball or fingerprint - It seems like the problem with that is you only have so many eyes and fingers. That might be acceptable for one, or two, or a small number of trusted sites, but it doesn't scale - I don't want to give my retina-scan to Newegg.com for online ordering, or any of a thousand other sites - because then, isn't that essentially the same thing as using the same password at a bunch of sites, and could fail from the same problems - someone breaches the database of a site, grabs all the retina scans and corresponding user identities, and then goes and transmits those scans as if they had just had their phone scan it for them ( as far as I know, a remote server has no way to distinguish too easily between a live scan, and someone just sending it a photo).

Your retina scan or fingerprint are a password you can NEVER CHANGE if they get breached - there's a scary thought.

How about just make your website password storage so secure that people cannot get at the user table so easily? Add a database monitoring service like Guardium that doesn't allow an attacker to read the hole freaking user table with all password hashes and the problem should be more or less solved.

Secondly lock an account after 10-15 bad password entries. Voila instant security. The only people who will be punished are the people who reuse their passwords too liberally. ( And even there you only need different passwords for the dangerous sites.)

So we have a vague "just make it better!" call and a complete misunderstanding of the recent hacks. No, this isn't about retrying a password page. It's stealing the password database by making a copy of it, where you have all the time in the world to crack it.

Whose writings about how ostensibly 'voluntary' technologies become, over time, effectively mandatory, are actually pretty insightful(I'm told his work as a topologist was good too; but PhD level math is substantially over my head). His overtly homicidal tendencies certainly made sending him to prison a necessity; but they aren't much of a refutation of his writings on technology...

How about just make your website password storage so secure that people cannot get at the user table so easily? Add a database monitoring service like Guardium that doesn't allow an attacker to read the hole freaking user table with all password hashes and the problem should be more or less solved.

Secondly lock an account after 10-15 bad password entries. Voila instant security. The only people who will be punished are the people who reuse their passwords too liberally. ( And even there you only need different passwords for the dangerous sites.)

Neither of these measures protect against keyloggers, phishing and other types of social engineering attacks, which are the most common way that passwords get compromised.

I don't want my refrigerator, or anything else I own, automatically ordering anything. Perhaps it could generate a list I can sync to my phone, but if I decide to eliminate dairy from my diet for whatever reason I really don't want to have to explain that to my refrigerator.

if biometrics unlock a password store (like lastpass) and then use individual (complex) passwords for each site, then I can get behind this. That way, existing password pased systems don't have to change.

Until they come up with a solution that does not require a second device, this is a poorly conceived path. What are the lower income supposed to do? Not use PayPal? Come on now. Be a little more in-touch with reality.

This seems like a wasteful, over-engineered reinventing of the wheel that doesn't actually bring any improvements. I wish they'd just push PKI tokens getting wider adoption. It wouldn't create anyone central to the process, no third parties would need to be involved, every site would be silo'd, and the tech is all there and in production right now (and has been for a long time).

My main concern with this is that it becomes the sole gatekeeper to your online identity, making it that much easier--and reliable--to track an individual across the entire internet.

Imagine this becoming ubiquitous; from a privacy standpoint, it'd be like every site decided they'd only accept federated Facebook logins. Ugh.

I know many people have given up on the idea of any kind of anonymity online, but I haven't, and worry about a future when it's impossible to do anything online without a group of corporations knowing every detail.

I'm all for getting rid of passwords. They are a non-intuitive form of authentication.

But neither am I enamored with the current state of biometric identification. I have to use a scanner at my workplace and it is slow, unreliable and questionably secure.

An idea before its time? In the meantime I'll keep using my password manager.

I think the title is a bit of a misnomer, as it looks like you can use passphrases to lock the devices themselves if you want. In which case, it is your password manager replacement. But instead of managing passwords, it is managing tokens/keys for you, which is still an improvement.

Add on top of that, if FIDO is actually using asymmetric encryption for authentication, then you can start playing with a few useful features of such a system:- More resistant to DB dumps of the server-side tokens, as the public keys are meant to be public, and have to be cryptographically strong.- Can even trigger automatic key regeneration by devices in the case of a DB dump if you are especially paranoid, without changing the user's authentication mechanism. Allowing you to further mitigate risks of DB dumps.

As far as I can tell, this mechanism could be quite good. Especially if I can do something like attach my new phone to my existing FIDO identity and it's device token is now usable in all the places my old phone was already setup to use. Then I can just focus on the security of my device which is a lot easier to do. I can also potentially revoke stolen devices in this scheme, invalidating the tokens outright without having to change all my site passwords.

Sounds like a definite step in the right direction to me, even without biometrics in the picture.

I'm thinking PayPal hasn't done much research into biometric scanners. For one, there is no existing system which can guarantee that it will only match your input to your account, let alone always match your input to your account.

Um, no. I prefer the status quo rather than being forced to be tied down to a single online identity that is permanently linked to my real world identity based on things I can't readily change at my own convenience.

I'm personally a fan of Yubikey's approach to 2FA. I really like the idea of using a USB key and not having to manually enter in a code. It also a creates an intuitive process for automatically logging off (just remove the USB key).

If we're using phones though (e.g. for the benefit of having an interface for PINS), I hope the authentication mechanism doesn't require the phone to be online at the time -- e.g. it functions more or less the same way Google Authenticator does. Sometimes cell tower coverage sucks and connecting a phone to certain Wi-Fi networks can be a pain.

I'm personally a fan of Yubikey's approach to 2FA. I really like the idea of using a USB key and not having to manually enter in a code. It also a creates an intuitive process for automatically logging off (just remove the USB key).

What if someone either stole or was able to make a copy of your USB key. For whatever amount of time they had access to your device, they would have access to all your accounts. What would be the other factor in this 2FA?

I have always been in favor of multi-part authentication. FIDO sounds very similar to what I've envisioned in the past...

The basic idea is sound; you carry a device with its own connection to the Internet, and that device pops up a login prompt when you connect to a site you haven't visted in a while. This is very similar to what Steam and my bank already do, except that they use my email account for this.

The only problem here is that you're still dealing with the loss of your physical "key" causing you to lose access to your on-line resources. I suppose it's less of a problem if you use multiple keys, so there's that.

I think what we'll eventually end up with is everyone carrying some sort of keychain fob that can act as a universal key and authenticator, but we'll make sure to keep a backup unit stashed at home, just in case.

I'm personally a fan of Yubikey's approach to 2FA. I really like the idea of using a USB key and not having to manually enter in a code. It also a creates an intuitive process for automatically logging off (just remove the USB key).

What if someone either stole or was able to make a copy of your USB key. For whatever amount of time they had access to your device, they would have access to all your accounts. What would be the other factor in this 2FA?

My laptop has a SmartCard slot; I don't use it, but it's there... but even logging in with a SmartCard requires a password. The upside, though, is that removing the card immediately locks the computer (or logs you off... not sure, since I don't have an SC to test this with.)

So these multi-factor authentication systems would and should still require passwords; they just use your hardware device as an additional factor.

I'm personally a fan of Yubikey's approach to 2FA. I really like the idea of using a USB key and not having to manually enter in a code. It also a creates an intuitive process for automatically logging off (just remove the USB key).

What if someone either stole or was able to make a copy of your USB key. For whatever amount of time they had access to your device, they would have access to all your accounts. What would be the other factor in this 2FA?

That's not how YubiKey works - they describe it on their site. Each one is unique, and it generates a one-time password instead of reusing the same information. If you copy one, the copy won't work because the unique identifier on the copy would be wrong.

Also, I doubt removing the YubiKey would log you out of anything - it's only acting at the moment you push the button to enter the one-time code. Otherwise, it's just sitting there doing nothing, so removing it seems like it would just go unnoticed by the system, web site, or whatever.

I have always been in favor of multi-part authentication. FIDO sounds very similar to what I've envisioned in the past...

The basic idea is sound; you carry a device with its own connection to the Internet, and that device pops up a login prompt when you connect to a site you haven't visted in a while. This is very similar to what Steam and my bank already do, except that they use my email account for this.

Reading the documents, this isn't what FIDO really does. It seems to handle something similar to PKI, but with the tokens built into the device itself. And a "device" in this case includes your PC. So you enter your information to the local device, it accepts it, unlocks the tokens, and uses them to authenticate for you.

Think something closer to how SSH key authentication or PKI work, just meant to be more ubiquitous.